bogus alt-svc header causing h3 upgrades
-
I'm running Ghost (v6.22) on Cloudron behind a reverse proxy. I noticed that Ghost's ActivityPub endpoints (.ghost/activitypub/*) return response headers that
don't come from Ghost or Cloudron's nginx — they come from an upstream Google service:via: 1.1 google
x-cloud-trace-context: ...
alt-svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000Regular Ghost endpoints (e.g. /ghost/api/admin/site/) return the expected headers — X-Powered-By: Express, no Google trace, no alt-svc:
server: nginx
x-powered-by: Express
content-version: v6.22But any request to /.ghost/activitypub/* gets proxied by Ghost to an external Google Cloud-hosted service (Ghost's managed ActivityPub backend), and the response
headers from that upstream are passed through unfiltered — including alt-svc: h3=":443"; ma=2592000.The problem: This alt-svc header tells browsers/clients that HTTP/3 is available on port 443 of my server. If a client honors this, it will attempt a QUIC/H3
connection to my server, which may not support H3 at all — leading to failed connections or degraded behavior. The alt-svc is meant for Google's infrastructure,
not mine.Expected behavior: Ghost (or Cloudron's nginx) should strip upstream alt-svc headers before returning responses to clients, since they refer to the upstream's
capabilities, not the server actually facing the client.How to reproduce:
curl -sI https://your-ghost-instance/.ghost/activitypub/ | grep -i alt-svcCompare with a regular Ghost endpoint:
curl -sI https://your-ghost-instance/ghost/api/admin/site/ | grep -i alt-svcThe first returns alt-svc, the second does not.
-
Great report @philkunz . I think https://git.cloudron.io/packages/ghost-app/-/merge_requests/163 should fix it . I could reproduce this on blog.cloudron.io .
Hello! It looks like you're interested in this conversation, but you don't have an account yet.
Getting fed up of having to scroll through the same posts each visit? When you register for an account, you'll always come back to exactly where you were before, and choose to be notified of new replies (either via email, or push notification). You'll also be able to save bookmarks and upvote posts to show your appreciation to other community members.
With your input, this post could be even better 💗
Register Login